'Re: [Full-disclosure] Orange Spain disclosing user phone number'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-disclosure] Orange Spain disclosing user phone number
From:       B1towel <ben () b1towel ! com>
Date:       2010-08-30 14:48:45
Message-ID: 95DFE98C-5F78-4103-9989-F7368CB88980 () b1towel ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


It would be funny to see advertisers send targeted SMS ads using this. I bet that the \
advertisers of web sites that participate in iframe ads would also get this information, \
assuming the Phone would load up iframe ads. 

I think the provider should fix this, because if someone developed an exploit similar to the \
one that was able to compromise the iPhone a while back just by sending a maliciously formed \
SMS message, your phone could be compromised just by going to a website where this information \
is sent to the web server.

I know this is pretty obvious, just my 2 cents.

On Aug 30, 2010, at 7:00 AM, full-disclosure-request@lists.grok.org.uk wrote:

> 
> Message: 2
> Date: Sun, 29 Aug 2010 21:09:50 +0200
> From: "xufi ." <xufxuf@gmail.com>
> Subject: [Full-disclosure] Orange Spain disclosing user phone number
> To: full-disclosure@lists.grok.org.uk
> Message-ID:
> 	<AANLkTinKy8UsAkPd0gg5UoSESdfeNE8bhjAA-OepKO1Q@mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1
> 
> Hi,
> Doing an assessment on mobile GWs I found that Orange Spain is adding
> the user MSISDN in any HTTP request sent in it?s network. That means
> that is really simple to get the user phone number from a Orange Spain
> user. On one hand, I saw that Orange Spain uses the header
> x-up-calling-line-id to add a user temporary ID that changes every 24h
> but I also found that in any HTTP request they will add the user phone
> number in the header X-Network-info. In particular the HTTP header
> looks like as follow:
> 
> X-Network-info: CSD,34xxxxxxxxx,unsecured
> 
> where xxxxxxxxx is the user MSISDN


[Attachment #5 (text/html)]

<html><body bgcolor="#FFFFFF"><div>It would be funny to see advertisers send targeted SMS ads \
using this. I bet that the advertisers of web sites that participate in iframe ads would also \
get this information, assuming the Phone would load up iframe \
ads.&nbsp;</div><div><br></div><div>I think the provider should fix this, because if someone \
developed an exploit similar to the one that was able to compromise the iPhone a while back \
just by sending a maliciously formed SMS message, your phone could be compromised just by going \
to a website where this information is sent to the web server.</div><div><br></div><div>I know \
this is pretty obvious, just my 2 cents.</div><div><br>On Aug 30, 2010, at 7:00 AM, <a \
href="mailto:full-disclosure-request@lists.grok.org.uk">full-disclosure-request@lists.grok.org.uk</a> \
wrote:<br><br></div><blockquote type="cite"><br><span>Message: 2</span><br><span>Date: Sun, 29 \
Aug 2010 21:09:50 +0200</span><br><span>From: "xufi ." &lt;<a href="mailto:xufxuf@gmail.com" \
x-apple-data-detectors="true"><a \
href="mailto:xufxuf@gmail.com">xufxuf@gmail.com</a></a>&gt;</span><br><span>Subject: \
[Full-disclosure] Orange Spain disclosing user phone number</span><br><span>To: <a \
href="mailto:full-disclosure@lists.grok.org.uk" x-apple-data-detectors="true"><a \
href="mailto:full-disclosure@lists.grok.org.uk">full-disclosure@lists.grok.org.uk</a></a></span><br><span>Message-ID:</span><br><span><span \
class="Apple-tab-span" style="white-space:pre">	</span>&lt;<a \
href="mailto:AANLkTinKy8UsAkPd0gg5UoSESdfeNE8bhjAA-OepKO1Q@mail.gmail.com" \
x-apple-data-detectors="true"><a \
href="mailto:AANLkTinKy8UsAkPd0gg5UoSESdfeNE8bhjAA-OepKO1Q@mail.gmail.com">AANLkTinKy8UsAkPd0gg5 \
UoSESdfeNE8bhjAA-OepKO1Q@mail.gmail.com</a></a>&gt;</span><br><span>Content-Type: text/plain; \
charset=ISO-8859-1</span><br><span></span><br><span>Hi,</span><br><span>Doing an assessment on \
mobile GWs I found that Orange Spain is adding</span><br><span>the user MSISDN in any HTTP \
request sent in it?s network. That means</span><br><span>that is really simple to get the user \
phone number from a Orange Spain</span><br><span>user. On one hand, I saw that Orange Spain \
uses the header</span><br><span>x-up-calling-line-id to add a user temporary ID that changes \
every 24h</span><br><span>but I also found that in any HTTP request they will add the user \
phone</span><br><span>number in the header X-Network-info. In particular the HTTP \
header</span><br><span>looks like as follow:</span><br><span></span><br><span>X-Network-info: \
CSD,34xxxxxxxxx,unsecured</span><br><span></span><br><span>where xxxxxxxxx is the user \
MSISDN</span></blockquote><div></div></body></html>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic